IPSEC Tunnel - Need Help

Started by arthurkahwa_ap, October 17, 2019, 11:09:10 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 17, 2019, 11:09:10 AM
Dear Forum,
I'm new to the Opnsense system and need a bit of help setting up an IPSEC tunnel to a customer site.
We received settings from the customer, which we have tried, but the tunnel is not established.
The logs are the following. I have also attached the configuration from both sides.
I have also carried out the steps and settings in the IPSEC Tutorial, still no tunnel.
The customer side of the tunnel is a
Hardware Version: FortiGate-1500D
Software Version: v5.6.8,build1672,190130 (GA)

Our side of the tunnel is the latest Opnsense stable version.

Thanks,
Arthur Kahwa


-- Config - Customer side
Phase 1 :
=====================

config vpn ipsec phase1-interface
    edit "A+P_NEW"
        set type static
        set interface "dmz-ras-1"
        set ip-version 4
        set ike-version 2
        set local-gw 0.0.0.0
        set keylife 120
        set authmethod psk
        unset authmethod-remote
        set peertype any
        set passive-mode disable
        set exchange-interface-ip disable
        set mode-cfg disable
        set proposal aes256-sha256
        set localid ''
        set localid-type auto
        set auto-negotiate enable
        set negotiate-timeout 30
        set fragmentation enable
        set dpd disable
        set forticlient-enforcement disable
        set comments ''
        set npu-offload enable
        set dhgrp 14
        set suite-b disable
        set eap disable
        set wizard-type custom
        set reauth disable
        set idle-timeout disable
        set ha-sync-esp-seqno enable
        set auto-discovery-sender disable
        set auto-discovery-receiver disable
        set auto-discovery-forwarder disable
        set encapsulation none
        set nattraversal enable
        set fragmentation-mtu 1200
        set childless-ike disable
        set rekey enable
        set remote-gw 213.148.149.162
        set monitor ''
        set add-gw-route disable
        set psksecret ENC wGKUsGPtpZkifnwX594kzKW5tzAdDD738t+IgMvVoAs7VXqNnewCXX0dUh0ufVbw5BQvf+U/wR3NmjZAFVhGBfmv/bxVqn1ZIXS1P3owUkWUV0jnqyppZuLC4FGJHPkYN081ifOIZnaCd8+1UDd0TpBEPZX7BDH4f29C3tVCx85CMQWfD7KH7lA7lDMTelEjGC3EIw==
        set keepalive 10

======================


Phase 2 :
===================

config vpn ipsec phase2-interface
    edit "A+P_NEW_P2"
        set phase1name "A+P_NEW"
        set proposal aes256-sha1
        set pfs enable
        set dhgrp 2
        set replay enable
        set keepalive disable
        set auto-negotiate disable
        set auto-discovery-sender phase1
        set auto-discovery-forwarder phase1
        set keylife-type seconds
        set encapsulation tunnel-mode
        set comments ''
        set protocol 0
        set src-addr-type name
        set src-port 0
        set dst-addr-type name
        set dst-port 0
        set keylifeseconds 3600
        set src-name "net-local-econ"
        set dst-name "net-remote-a-und-p-architekten"
    next
end
=============================

config firewall address
    edit "net-local-econ"
        set uuid d5a6014e-25ee-51e7-7fbb-cb85ecc2ef13
        set subnet 193.103.204.0 255.255.255.0
    next
end

config firewall address
    edit "net-remote-a-und-p-architekten"
        set uuid d5a94066-25ee-51e7-8a97-837be6c8c108
        set subnet 10.246.1.0 255.255.255.0
    next
end
============================

--- DEBUG - Customer side --
ike 5:AP_NEW:124598393: negotiation timeout, deleting
ike 5:AP_NEW: connection expiring due to phase1 down
ike 5:AP_NEW: deleting
ike 5:AP_NEW: deleted
ike 5:AP_NEW: schedule auto-negotiate
ike 5:AP_NEW:AP_NEW_P2: chosen to populate IKE_SA traffic-selectors
ike 5:AP_NEW: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
ike 5:AP_NEW:124598674: out 0212D09EBFB814C200000000000000002120220800000000000001B8220000300000002C010100040300000C0100000C800E01000300000802000005030000080300000C000000080400000E28000108000E00002DD7F50FE2479EF3DD29017582D0783E8BDDE4782ED19800F38FCB8286912A963D1DCFC593417D60A431686EEFBFBF02C09DDC969F543EEAB18B1FF1FC5B1C093BF0D3E8FECF6DA76B5E9680C0AB9CFAA0CC12138A3BAA463493A00B734D9A54164D7EF036B09DC6886AEE331DEBB7713AB2B6A8C878D5CD129960F8CDAA901EB595188F53EB8D6D59F1DA2F6575A4BB083C6887A19174B8C255C952BB3A8D7A872C26BE7140F3383F83E01A16377B5FE99BE87E6A89777D27ED35A226D99452220EC5628C2F7DFBA4F3AE2AD4CFD53E8246315447E6BB5E9F10796D94C514A80F4D922E7DEC238FA7F2DC3BB6539D0B0B8A571B71948EBA352F102264881C4E290000240A277264EB26639951F764AACF992EBFB7DF4D8328DC651B5C52A2FD68D5BFA82900001C000040043CBCEEDFBC3AB95E8B9B863A2942E289A7B2EC4E2900001C00004005DC6755921F22B2E59DE4190CB82DBD44A51D5B71000000080000402E
ike 5:AP_NEW:124598674: sent IKE msg (SA_INIT): 169.254.72.200:500->213.148.149.162:500, len=440, id=0212d09ebfb814c2/0000000000000000
ike 5: comes 213.148.149.162:500->169.254.72.200:500,ifindex=85....
ike 5: IKEv2 exchange=SA_INIT_RESPONSE id=0212d09ebfb814c2/05a37b0b91947f64 len=36
ike 5: in 0212D09EBFB814C205A37B0B91947F64292022200000000000000024000000080000000E
ike 5:AP_NEW:124598674: initiator received SA_INIT response
ike 5:AP_NEW:124598674: processing notify type NO_PROPOSAL_CHOSEN
ike 5:AP_NEW:124598674: malformed message
ike 5:AP_NEW:124598674: negotiation timeout, deleting
ike 5:AP_NEW: connection expiring due to phase1 down
ike 5:AP_NEW: deleting
ike 5:AP_NEW: deleted
ike 5:AP_NEW: schedule auto-negotiate
ike 5:AP_NEW:AP_NEW_P2: chosen to populate IKE_SA traffic-selectors
ike 5:AP_NEW: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
ike 5:AP_NEW:124598957: out 45A441373E59E49900000000000000002120220800000000000001B8220000300000002C010100040300000C0100000C800E01000300000802000005030000080300000C000000080400000E28000108000E0000AD3575EBF75394B5C24871035D34D9BD43B2F59B60B74C50995567B76B2B020F21504D091D4EF7B3711743FCBD1A8DEACEF0AD6E59428E6ABC3DCDECD03F7D61C2A1855087F1941A49CDB97FE9476E82EF48363ACD98042E12F21BC267EDF4FBD097C28BB88291E2FEC669556CDC43F8B946E8B1E9B58012289B5B51AE9E5F9811D0B2C8235EB89490A02FA47A5B9BF66223BA6D6469113FD384E94A494D6635D6316FEE5BEB03AFD1D3C3F5CE61B6DBA6C3F4A1DF8D2A8D06D3416FBD4BBFF09534C854028FA34C8B64665FCFFA88A16A3E34D38C9222FDA0F54C61C70348A3F8D71309AD37FE2BDD49D2D767238BA0E38A6AACCD2EA25EFEFD36E6836C9F7C29000024A9D24311CB8C9015380924C016533B69241C7F5B0D6CF869CAB4E45DC10A4CD02900001C0000400481F196EF8CF2F14AE891B88633773536248676352900001C00004005C66E772AAB4A11760BF17D80901118ED80323639000000080000402E
ike 5:AP_NEW:124598957: sent IKE msg (SA_INIT): 169.254.72.200:500->213.148.149.162:500, len=440, id=45a441373e59e499/0000000000000000
ike 5: comes 213.148.149.162:500->169.254.72.200:500,ifindex=85....
ike 5: IKEv2 exchange=SA_INIT_RESPONSE id=45a441373e59e499/4a9efaef53188fcc len=36
ike 5: in 45A441373E59E4994A9EFAEF53188FCC292022200000000000000024000000080000000E
ike 5:AP_NEW:124598957: initiator received SA_INIT response
ike 5:AP_NEW:124598957: processing notify type NO_PROPOSAL_CHOSEN
ike 5:AP_NEW:124598957: malformed message
ike 5:AP_NEW:124598957: negotiation timeout, deleting
ike 5:AP_NEW: connection expiring due to phase1 down
ike 5:AP_NEW: deleting
ike 5:AP_NEW: deleted
ike 5:AP_NEW: schedule auto-negotiate
ike 5:AP_NEW:AP_NEW_P2: chosen to populate IKE_SA traffic-selectors
ike 5:AP_NEW: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
ike 5:AP_NEW:124599231: out A05C9ACEADB0BBE700000000000000002120220800000000000001B8220000300000002C010100040300000C0100000C800E01000300000802000005030000080300000C000000080400000E28000108000E000049E253255C79B779A85877BFC1403D122FB9E85A1242520340C8F3905CC8D07E645498E77773DD738FAF5E4B9CE3BAB444D0900CE6CE46DCCA4BC3F2AB64C721FF0C2C6AC6D9F4415304485399A752BC69A553A104322E3495F7EEAA8D899D4F76C71660950C83BA3CF2E73181D5F7D13B850671D76129546E6D03F4D6571FA4A523873F90679EF4DCDD41DE444485EE38E57E34A02E25BE04B5BEF80FA5A6614CEC2CFA89D34D46D001EDE0EFCDA8B3D042BBDD14B1769116E04FBF0CE63BFF800F47BA44FC365813A5018652A82469E67A30BA3A50F10B5949B623C76548F15DAEE26455CF14C78711864365E57D089B1544E75CEC28F1073333754F6FDF30290000247BEC6381FA79A25C3A6655704E0CB047B4A6A4B425370AFB080084196084C4902900001C00004004A6A403804F13D4202C3C93AB01021007FB8B94B62900001C00004005E46DF6F187BD3685EFC8EBED0A9E4002265C63EE000000080000402E
ike 5:AP_NEW:124599231: sent IKE msg (SA_INIT): 169.254.72.200:500->213.148.149.162:500, len=440, id=a05c9aceadb0bbe7/0000000000000000
ike 5: comes 213.148.149.162:500->169.254.72.200:500,ifindex=85....
ike 5: IKEv2 exchange=SA_INIT_RESPONSE id=a05c9aceadb0bbe7/6426487735f2290b len=36
ike 5: in A05C9ACEADB0BBE76426487735F2290B292022200000000000000024000000080000000E
ike 5:AP_NEW:124599231: initiator received SA_INIT response
ike 5:AP_NEW:124599231: processing notify type NO_PROPOSAL_CHOSEN
ike 5:AP_NEW:124599231: malformed message
ike 5:AP_NEW:124599231: negotiation timeout, deleting
ike 5:AP_NEW: connection expiring due to phase1 down
ike 5:AP_NEW: deleting
ike 5:AP_NEW: deleted
ike 5:AP_NEW: schedule auto-negotiate
ike 5:AP_NEW:AP_NEW_P2: chosen to populate IKE_SA traffic-selectors
ike 5:AP_NEW: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
ike 5:AP_NEW:124599507: out FFFE59977078050400000000000000002120220800000000000001B8220000300000002C010100040300000C0100000C800E01000300000802000005030000080300000C000000080400000E28000108000E0000D10C629A2E774684C473D9BE6A172CAE6E7672A7A6C2EC91975A4719800270E5AD0EDBA99A1ED4C4AE3B0A51382C0DB6CE1B26FB4540888D432402F33C364E9967BA8F28A0E833B58ED518EEEDD4C0BDC3280F77C3120073B2EDB95B6D17B41A9BA9100C877109212517EDEDD86D616032E4931E26DAD4E7388E40899D4B15AAC2FA15FFFEC65454DCC54408500F5ACB091F4E9A1147DA3720A0049996B1846134111169FF9C2234C365F50A4588055BDCCA6EF7CBD79E6594BDE971B39BB1BD15275F68A9AD06A28BC57EA728D0526FA8CE4C8006374421A841AE4C5E3150E35C73F7E8314BFA9892741064E8A020051EAC236DC86FA3EDB55C6AA807633E6B29000024926B8C65FF0DC2EA93CCE2264F2D2B8D21A66D9BC0703C957D934541893B8A492900001C00004004D7DFA76D6155214F9E2630C167AB10EC9633EA902900001C00004005CBD39FC4F7C3191F21A8A3228BD1A0DE2B28061B000000080000402E
ike 5:AP_NEW:124599507: sent IKE msg (SA_INIT): 169.254.72.200:500->213.148.149.162:500, len=440, id=fffe599770780504/0000000000000000
ike 5: comes 213.148.149.162:500->169.254.72.200:500,ifindex=85....
ike 5: IKEv2 exchange=SA_INIT_RESPONSE id=fffe599770780504/c0da0deadef46499 len=36
ike 5: in FFFE599770780504C0DA0DEADEF46499292022200000000000000024000000080000000E
ike 5:AP_NEW:124599507: initiator received SA_INIT response
ike 5:AP_NEW:124599507: processing notify type NO_PROPOSAL_CHOSEN
ike 5:AP_NEW:124599507: malformed message
ike 5:AP_NEW:124599507: negotiation timeout, deleting
ike 5:AP_NEW: connection expiring due to phase1 down
ike 5:AP_NEW: deleting
ike 5:AP_NEW: deleted
ike 5:AP_NEW: schedule auto-negotiate
ike 5:AP_NEW:AP_NEW_P2: chosen to populate IKE_SA traffic-selectors
ike 5:AP_NEW: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
ike 5:AP_NEW:124599771: out 236351101FDF233000000000000000002120220800000000000001B8220000300000002C010100040300000C0100000C800E01000300000802000005030000080300000C000000080400000E28000108000E0000192188A6508109BE4257141162D0CEFBF8E1A46117C0B0FE72069F0367EFC2C2E64AB456645BE5B74F1C7E549A69F4EDAADC4A2CDFA8EF3EDB2D82CEA0CFC7AB889C290DF46E42C8EF69DEA20C089DE18DDE37FB8CDC0E78425A48EA5107409C0311B32EBDA61ACA0E4BACAF6091B4796B9B7F2165D51CB32CCF614A003EE8265D89E21F54FC34615D0C3602089C874182E08FB00163CEEDB5248910F565CA26BD415AD17F80BEC37D8A44C10D9E463A36B41D7A66A308FC26FCE69C5192FDCD8999CCEF3EEFBE6E199EE214A4DB3B8CDF9F79B3BE552417C2ACAB98DBCB9035938F962216D90BFE3E16AA64A01761B18B86C0F7939EF7132394CEDB3E2F126129000024E98B81F496A20BADBC0CC7BC2B730DC44FFEF18FE328CDDAE8CE494C202A47BB2900001C0000400465B3309A6BD9AE5A9210AEC060783453D44D6AC02900001C00004005684F88C3348E5084C0BDCDC5C9FABA98970CE927000000080000402E
ike 5:AP_NEW:124599771: sent IKE msg (SA_INIT): 169.254.72.200:500->213.148.149.162:500, len=440, id=236351101fdf2330/0000000000000000
ike 5: comes 213.148.149.162:500->169.254.72.200:500,ifindex=85....
ike 5: IKEv2 exchange=SA_INIT_RESPONSE id=236351101fdf2330/1910fa4a4b7d6f6b len=36
ike 5: in 236351101FDF23301910FA4A4B7D6F6B292022200000000000000024000000080000000E
ike 5:AP_NEW:124599771: initiator received SA_INIT response
ike 5:AP_NEW:124599771: processing notify type NO_PROPOSAL_CHOSEN
ike 5:AP_NEW:124599771: malformed message
----------

October 17, 2019, 03:50:18 PM #1
Hi,

did you exchange the ip numbers in the log?
Customer side uses 169.254.72.200?
That range use DHCP Clients, wenn there is a problem with the dhcp server.

regards,
Ralf
October 21, 2019, 09:04:56 PM #2 Last Edit: October 21, 2019, 09:31:28 PM by arthurkahwa_ap
Hi Ralf,
no, I did not change any of the ip addresses in the log.
I will consult with the client, if they are using theses addreses on purpose, for some reason.

We received and followed the following plan from our partners.
Maybe this can shed more light on the situation.

Thanks,
Arthur
Print
Go Up Pages1
User actions